4-step methodology
Every OSINT investigation follows the same four-step sequence. Complete each step before moving to the next — skipping ahead leads to unverified results and wasted effort.Define the question
Determine exactly what you want to know. A precise question scopes the investigation, prevents scope creep, and makes success measurable.
Identify sources
Select the data types and sources relevant to your question. Use the table below to match data types to their usual locations and recommended tools.
Collect
Gather data using both manual techniques and automated tools. Follow collection with immediate evidence preservation.
Data types, usual locations, and star tools
| Data type | Usual location | Star tool |
|---|---|---|
| Name | LinkedIn, Facebook | Maigret |
| Data breaches, newsletters | HIBP | |
| Phone | WhatsApp Business, TrueCaller | Infobel |
| Username | Forums, gaming, GitHub | Snoop |
| Photo | Geolocation, EXIF | ExifTool |
| Domain | WHOIS, certificates | Amass |
| IP | Scanning, Shodan | Shodan |
| Crypto wallet | Blockchain explorers | BlockCypher |
Tools mind map
The following diagram shows how the major OSINT tool categories branch from the core discipline.Bellingcat methodology
The Bellingcat methodology is a six-step framework developed for open-source conflict and investigative reporting. It emphasizes preservation and verification above all else.Identification
Define exactly what you are investigating. Establish the specific claim, event, or subject before any collection begins.
Preservation
Archive everything immediately using tools such as archive.is and the Wayback Machine. Online content disappears — preserve before you proceed.
Verification
Triangulate every finding with three or more independent sources. A claim supported by fewer than three sources should be treated as unconfirmed.
Contextualization
Build a complete chronology of events. Place your findings in their historical, geographic, and social context.
Documentation
Record every piece of evidence with screenshots, cryptographic hashes, and timestamps. Maintain a chain of custody for all collected material.
The Bellingcat methodology was developed for conflict open-source research and has been adopted widely across investigative journalism and threat intelligence disciplines.
Professional OSINT cycle (5 phases)
The professional intelligence cycle structures OSINT work from initial tasking through final delivery. It is used by intelligence analysts, corporate investigators, and law enforcement practitioners.Direction
Define the intelligence requirements.
- Define questions (RFI — Request for Intelligence)
- Establish legal limits
- Approve scope
Collection
Gather raw data from all approved sources.
- Passive sources
- Semi-passive sources
- Save evidence
Processing
Convert raw data into usable information.
- Normalize data
- Translate languages
- Structure information
Analysis
Derive intelligence from processed information.
- Link analysis (Maltego)
- Timeline creation
- Pattern recognition
- Cross validation